Resource Public Key Infrastructure (RPKI)

Contents:

Overview

RPKI is a free, opt-in service that allows users to certify their ARIN Internet number resources that are covered by a RSA/LRSA to help secure Internet routing. Using cryptographically-verifiable certificates, RPKI allows IP address holders to specify which Autonomous Systems (AS's) are authorized to originate their IP address prefixes. With RPKI, Border Gateway Protocol (BGP) route announcements that are issued from a router are validated to make sure that the route is coming from the resource holder and that it is a valid route. This is done through Route Origin Authorizations (ROAs). These ROAs are created by network operators and used by other network operators to make decisions on routing. The ROAs provide verification that the routes being advertised are correct and can be used safely in routing tables.

Benefits of RPKI

Internet routing is dependent upon many chains of network relationships that are based on mutual trust. Each party trusts that the route used to transmit information is safe, accurate, and will not be maliciously altered. This model proved sufficient in the early stages of Internet development, but has become increasingly vulnerable to abuse and attack as the Internet's resources have undergone a massive increase in usage. Using cryptographically verifiable statements, RPKI helps to ensure that Internet number resource holders are certifiably linked to those resources, and reliable routing origin data is available upon which to base routing decisions.

Components of RPKI

RPKI fulfills security requirements through the generation of:

Resource certificates: These certificates digitally verify that a resource has been allocated or assigned to a specific entity

Note: Some Early Registration Transfer Project Space (ERX space) will not be covered by resource certificates at this time. ARIN plans on implementing this feature in future releases of RPKI functionality. This involves ongoing coordination with other Regional Registries that is ongoing.

Participating in RPKI

RPKI participation can be divided into two main areas. Choose the type of RPKI you want to implement to view instructions and additional information.

Using RPKI as a Relying Party: Obtaining information about routes and using RPKI as a relying party (to make routing decisions for your network). You need to download the ARIN Trust Anchor Locator (TAL) and use it with an RPKI validator.